Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 528840 (CVE-2014-3707)

Summary: <net-misc/curl-7.39.0: libcurl duphandle read out of bounds (CVE-2014-3707)
Product: Gentoo Security Reporter: Tiago Marques <bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: blueness, gregkh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 522820    
Bug Blocks:    

Description Tiago Marques 2014-11-10 16:15:54 UTC
As described in and 

Reproducible: Always
Comment 1 Alex Xu (Hello71) 2014-11-10 19:34:45 UTC
*** Bug 528842 has been marked as a duplicate of this bug. ***
Comment 2 Alex Xu (Hello71) 2014-11-10 19:38:00 UTC
Comment 3 Anthony Basile gentoo-dev 2014-11-11 00:13:50 UTC
(In reply to Tiago Marques from comment #0)
> As described in and 
> Reproducible: Always

From the report: Not affected versions: libcurl >= 7.39.0.

curl-7.39.0 has now been added to the tree and I've removed all older unstable versions that were vulnerable.

We should rapid stabilize.

TARGETS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86"

I'm cc-ing arm64 that may want to stabilize this important package.
Comment 4 Anthony Basile gentoo-dev 2014-11-11 00:19:00 UTC
@alpha, arm64, ia64, sparc.  You will need to stabilize =net-dns/c-ares-1.10.0-r1 first.  See bug #522820.
Comment 5 Agostino Sarubbo gentoo-dev 2014-11-11 08:33:44 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-11-11 08:33:59 UTC
x86 stable
Comment 7 Anthony Basile gentoo-dev 2014-11-11 10:56:29 UTC
stable on ppc and ppc64
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-11 11:39:14 UTC
Stable for HPPA.
Comment 9 Anthony Basile gentoo-dev 2014-11-13 12:18:39 UTC
stable on arm
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2014-11-20 13:45:58 UTC
Stable on alpha
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-20 15:48:16 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-01 09:18:00 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 02:08:10 UTC
CVE-2014-3707 (
  The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when
  running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP
  POST data for an easy handle, which triggers an out-of-bounds read that
  allows remote web servers to read sensitive memory information.
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-05 00:14:56 UTC
GLSA Vote: No
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-01-05 00:40:49 UTC
GLSA vote: no.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-05-11 20:15:32 UTC
For this version it is all cleaned up. Thank you